Keeping Cybersecurity Separate from Geopolitics

Last week, Kaspersky Lab was in the spotlight again in another ‘sensational’ news stream.

I say ‘again’ as this isn’t the first time we’ve been faced with allegations, ungrounded speculation and all sorts of other made-up things since the change of the geopolitical situation a few years ago. With the U.S. and Russia at odds, somehow, my company, its innovative and proven products as well as our amazing employees are repeatedly being defamed, given that I started the company in Russia 20 years ago. While this wasn’t really a problem before, I get it– it’s definitely not popular to be Russian right now in some countries.

For some reason the assumption continues to resonate that since we’re Russian, we must also be tied to the Russian government. But really, as a global company, does anyone seriously think we could survive this long if we were a pawn of ANY government? Our whole business is based on one thing – besides expertise – and that’s trust. Would we really risk our whole business by undermining our trustworthiness?

Especially given that the best non-Kaspersky Lab security researchers (hackers) are constantly scouring our code/products to find and report vulnerabilities. In fact, we even have a public bug bounty program, where we pay researchers to examine our products and search for any issues or possible security concerns. If there was anything suspicious or nefarious to find, they would have publicly shouted it to the roof tops by now.

Obviously, as a private company, Kaspersky Lab and I have no ties to any government, and we have never helped, nor will help, any government in the world with their cyber-espionage efforts (cyber-espionage is what we’re fighting!). While I find these ongoing accusations and false allegations extremely frustrating, I’ve noticed that all the attacks possess a few things in common, including:

And every time we’re accused, we refute the false allegations, respond with the actual facts of the matter, and tell the world about it on a public forum of some sort. Regardless of these attacks, we don’t let them stop us from fulfilling our mission – protecting people and businesses around the world from any cyberthreats.

For example, when the world recently experienced one of the largest ransomware outbreaks, called WannaCry, Kaspersky Lab was on the front lines protecting against this massive cyberthreat. Our proactive technologies kept customers safe, while users of other cybersecurity products were not so secure… At the same time, our elite global research team worked together with the rest of the cybersecurity community to investigate the attacks and data recovery mechanisms. And well done, boys and girls!

Now, only a few weeks after WannaCry, Kaspersky Lab is facing one of the most serious challenges to its business yet, given that members of the U.S. government wrongly believe the company or I or both are somehow tied to the Russian government. Without any evidence presented (because there isn’t any), these false assumptions have led to an extreme new measure. Currently there is language included in a a draft authorization bill that would prohibit the U.S. Department of Defense from using Kaspersky Lab products, reportedly due to concerns that the company ‘might be vulnerable to Russian government influence’. ARE YOU KIDDING ME?!

Basically, it seems that because I’m a self-made entrepreneur who, due to my age and nationality, inevitably was educated during the Soviet era in Russia, they mistakenly conclude my company and I must be bosom buddies with the Russian intelligence agencies… Yes it is that absurdly ridiculous.

OK…I cannot change where I grew up or where I started my company, but I’ve dedicated my entire career to protecting the world from cyberthreats. Even though we’ve successfully protected people and businesses for more than 20 years, we might actually be banned from being used in select U.S. government agencies. How did we get here?

We want the government, our users and the public to fully understand that having Russian roots does not make us guilty

In addition, we’ve offered the U.S. government any assistance it might need to help clarify the ongoing confusion regarding the falsely perceived threat they wrongly believe our products and technologies pose. We’re even willing to meet with any of them and give them our source code to thoroughly review it, as we’ve got nothing to hide. We want the government, our users and the public to fully understand that having Russian roots does not make us guilty.

If banning technologies from companies from other regions is the path we’re on now, imagine just how easy it would be for any other country to exclude U.S. companies from governmental contacts using the same unjust, invalid arguments we heard about my company, such as: “They’re a potential threat…; we’re very concerned about them [foreign software developers] and the security of our country!…”

But it doesn’t stop there.

There are other negative side-effects of prohibiting the use of technologies from specific regions because they are falsely judged as being an extension of those regions’ governments. Given the current geopolitical state of affairs, here are five destructive repercussions we could easily see:

One: Government organizations won’t be able to use the best cybersecurity protection available. Since having multiple layers of security technologies, from several developers, provides the most comprehensive protection, there’s a clear need for a vendor that protects against all cyberthreats – regardless of their origin, language or purpose.

Two: A slowdown in the development of cybersecurity technologies. Because government contracts won’t go to the best, but only to companies originating in their country, there will be a lack of investment in cybersecurity innovation. For instance, smaller companies from the ‘wrong’ countries won’t have as many prospects to help generate interest and additional seed money needed to enhance their technologies as well as grow their businesses.

Three: Limiting the usage of cybersecurity products would narrow the statistical base of their developers and lower their reaction times to new global threats as they arise. If the sanctions game goes global this would apply to the majority of developers and the entire global industry and, consequently, all users without exception would be more vulnerable to bad guys too. This would mean that Christmas would come early – and often – for the cybercriminals.

Four: By restricting companies based on their location, international cooperation would be severely impacted. For more than a decade at every cybersecurity conference, you hear everyone saying (me – the loudest!) we need to have more trust, more openness, more cooperation and more partnerships in the fight against global cybercrime. To keep up with the current evolving threat landscape, law enforcement from different countries must work with members of the cybersecurity community in order to catch and stop cybercriminals worldwide.

Five: Last but not least, this trend would lead to significantly limiting competition in the cybersecurity industry, and we all know that competition is healthy for the end user to get the best possible protection. Not all vendors have the same capabilities or expertise. Also, attackers will know that they only have to break specific technologies to get into infrastructure, businesses and governments when those entities are protected only by home-grown cybersecurity companies. This will make hacking easier for attackers. Granted, while there will still be some internal, domestic competition remaining of course, it won’t be nearly as fierce.

Far-reaching decisions based on pure speculation and false assumptions will negatively impact the global cybersecurity climate

As you can tell, these five negative impacts are nothing to be laughed at, and we need to stop and think about the possible repercussions that well-meaning but misguided actions could have on global cybersecurity. It’s not smart to base far-reaching decisions on pure speculation and false assumptions.

So, I hope the U.S. government will take me up on my offer to fully cooperate with them, because I know that if they do they’ll see there’s nothing to fear from us. Let’s not return to the days of McCarthyism and start attacking people and companies (that are successfully protecting consumers and businesses from cyberthreats) simply because they were born or developed in another country. Cyber-McCarthyism will get us nowhere.

Is it right to ban products because of their origin?

@e_kaspersky ‘s opinion on how that would negatively impact global #cybersecurity